at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_26]

at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_26]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]

at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_26]

I cannot figure out how to avoid having an exception in the error log when authentication of a user fails (incorrect credentials).

JBossCachedAuthenticationManager calls LoginContext.login - if this throws an exception, then the exception is logged at error level. If the call fails to throw an exception, LoginContext.getSubject will never return null, and authenication be determined to have been successful.

See this snippet from java-6-sun LoginContext which shows the loginSucceeded boolean, which is used later on when calling LoginContext#getSubject.

public void login() throws LoginException {

loginSucceeded = false;

if (subject == null) {

subject = new Subject();

}

try {

if (configProvided) {

// module invoked in doPrivileged with creatorAcc

invokeCreatorPriv(LOGIN_METHOD);

invokeCreatorPriv(COMMIT_METHOD);

} else {

// module invoked in doPrivileged

invokePriv(LOGIN_METHOD);

invokePriv(COMMIT_METHOD);

}

loginSucceeded = true;

} catch (LoginException le) {

try {

if (configProvided) {

invokeCreatorPriv(ABORT_METHOD);

} else {

invokePriv(ABORT_METHOD);

}

} catch (LoginException le2) {

throw le;

}

throw le;

}

}

I'm not sure what the correct behaviour should be here - it seems that LoginContext.login throws an error if authentication failed for any reason - whether that reason is that the user has supplied the incorrect credentials, or that all the login modules are broken. If an exception may not be exceptional, perhaps it should be logged at debug?

Are you sure? If we hide it at debug, users come back and chew on us saying, why you are hiding the exception? Now if we get exceptions in the log which need to be logged, you are saying, we need to put them to debug.